Imagine a high-rise building with an alarm system so robust that sensors guard every one of its 65,000 doors and windows. There's one catch, though: All of the sensors report to a single control panel, operated by a single security guard. What happens when a sensor goes off? Can the guard hightail it over to the right entry point on the right floor in time to stop an intruder? Probably not. More likely, the guard won't even catch sight of the intruder and will then spend hours looking for damage. What you need are automatically locking steel doors or gates that drop down in critical areas when an intrusion occurs, and maybe some safes that will not open while an alarm is ringing.

When your network relies solely on perimeter security such as firewalls and intrusion detection systems (IDSs), you're betting the farm on an incomplete solution. All an IDS can do is send an alert while something is happening or, worse, when the intrusion is already over.

In this multigigahertz world, it's easy for someone with a good attack script to do whatever he wants in a few seconds. You need those extra steel doors, a second layer of defense that's automated and CPU-fast, keeping you safe in real time. A technology called intrusion prevention is emerging to breach the gap. Despite its name, the technology usually kicks in after the intrusion has occurred.

For Joe Hacker, the real value of your network lies in key host machines and the information they contain. Joe Hacker won't celebrate breaking through your firewall if all it gets him is access to an ink jet and an MP3 repository. The idea of intrusion prevention is to ensure exactly that. By allowing only certain behaviors on critical hosts, the technology leaves a hacker with little freedom to do anything malicious.

How does it work? You may have already seen intrusion prevention in its simplest form if you have a decent firewall such as Norton Personal Firewall or ZoneAlarm. This type of software relies on signature- and behavior-based scanning to spot inappropriate activity. It uses predefined attack signatures, and it also learns what behaviors you'll allow every time you click yes or no when an application wants to do something. Eventually (in theory), user interaction is minimized and the software mostly knows what's good and bad. This is really the only affordable intrusion prevention on the market.

Larger systems work in a similar way on critical hosts, although typical setups cost tens of thousands. As personal firewall technology begins to mature and enter the managed space, and enterprise software comes down in price, a rich number of choices will be available for smaller businesses. Unlike personal firewalls, the pricier enterprise products are centrally controlled and enforcedbut they are automated (unlike our jogging security guard).

Okena's StormWatch ($4,995 for the console, $1,800 for server agents; www.okena.com) uses an administrative console that controls agents installed on key desktops and servers. You can specify proper behavior for each machine in detail. The software then intercepts and examines all calls made to the kernel on each protected systemand allows only approved calls.

Entercept 2.5 ($4,995 for the console, $1,596 for server agents; www.entercept.com) also relies on behavioral rules but assumes that there's probably no way to anticipate every improper behavior and adds signature-based protection as backup. Further, Entercept is developing specialized intrusion prevention with a version of its software hardened for Microsoft SQL Server. That's a good idea; people who monitor attack patterns worldwide agree that one of the most serious attacks out there is SQL injectionthe attempt to get at database information through malformed code and buffer overflows.

Basically, intrusion prevention for a SQL query would say, "I don't think Joe Hacker really has a right to all these credit card numbers"and put a stop to his request. An IDS would just let an administrator know that someone may have all of those numbers already.

Intrusion prevention systems definitely hold a lot of promise for big businesses and the small-business market, as the current price gap between product classes shrinks. But they aren't perfect. Of particular note is the problem of false positiveswhen legitimate traffic is misidentified as malicious. This may be merely irritating in an IDS, but false positives in a prevention system can disastrously interrupt valid business transactions. This means you'll need to fine-tune your system whenever something changes, as when you add a patch. On the other hand, with an intrusion prevention system in place, you'll have time to test and install patches without allowing vulnerabilities to be exploited.

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.